Please Help: Dovecot ssl_ca selection based on remote IP address filtering not working.

Sean Gallagher sean at teletech.com.au
Thu Feb 9 05:23:44 UTC 2023 

Hi All,

   I hope this is the correct place to post this. If not, apologies.

    I am in the process of updating my company's email servers and am 
trying to put Dovecot into an Alpine Linux container, hosted on ProxMox.

In my setup, local mail deliveries via LMTP can come from the MSA (for 
intra-company mail) and an MTA (for inbound mail).

The LMTP data is sent over IPv4 and is protected by TLS. Client 
certificates are used to authenticate sources.

I wanted to prevent Dovecot from accepting LMTP from any other source 
and the method I came up with to do this was to use filtering on the 
"remote" address.

I would create a "Fake" CA that had never signed a certificate and use 
that to evaluate the certificate presented by incoming connections from 
addresses other than the two legitimate sources.

This would cause all connections from "bad" addresses to be rejected. 
This seemed simple enough on paper but Dovecot just isn't playing along.


It seems that no matter what I do, I cannot get "remote" filtering to 
switch the "ssl_ca" parameter. I have put together a test bed to 
demonstrate.

I then use openssl s_client to attempt to connect to the test bed container.

I've attached the instructions to build the test bed from scratch.

In all cases s_client reports "Acceptable client certificate CA names"
"CN = Fake CA"

I.e. it want's a certificate from the CA that has never signed a 
certificate and never will.


      Why not do the obvious thing?

I use LDAP to authenticate individual users and the user name will be 
reported over LMTP.

So to use the normal authentication mechanisms to authenticate the 
connection source, I would need to do two LDAP lookups, one for the 
connecting machine and one for the mail recipient.

It is not clear if this is possible from the documentation..


  *Questions:*

Is config file filtering broken or am I doing it wrong?

Is it possible to provide a different "ssl_ca" based on the remote IP 
address?

Is there an easier way to restrict LMTP connections to specific remote 
IP addresses?


p.s.

Filtering just doesn't work like it's supposed to. Someone should look 
at that (especially multi-level) ..

See this: https://dovecot.org/pipermail/dovecot/2016-June/104770.html

    Any help would be greatly appreciated. I am at my wits' end with this.



-- 
This email has been checked for viruses by AVG antivirus software.
www.avg.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20230209/3de76c26/attachment.htm>
-------------- next part --------------
Reference: https://dovecot.org/pipermail/dovecot/2016-June/104770.html


Create ProxMox container vmid=114 "dove" with IP address 192.168.61.214/24
Alpine Linux: alpine-3.15-default_20211202_amd64.tar.xz

# n.b. this mirror has dovecot 2.3.20
/sbin/setup-apkrepos http://mirror.aarnet.edu.au/pub/alpine/latest-stable/main/ http://mirror.aarnet.edu.au/pub/alpine/latest-stable/community/
apk -U upgrade
apk add dovecot dovecot-lmtpd

uname -a
  Linux dove 5.4.162-1-pve #1 SMP PVE 5.4.162-2 (Thu, 20 Jan 2022 16:38:53 +0100) x86_64 Linux
cat /etc/alpine-release 
  3.17.1
dovecot --version
  2.3.20 (80a5ac675d)

# Create Real and Fake certificate authorities and have the Real CA sign certificates for dove.example.com and smtp.example.com

cd /etc/ssl/dovecot/

openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:4096 -out ca_fake.key
openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:4096 -out ca_real.key
openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:4096 -out imap.key
openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:4096 -out smtp.key

openssl req -x509 -new -subj '/CN=Fake CA' -key ca_fake.key -nodes -sha256 -days 3650 -addext 'basicConstraints=critical,CA:TRUE' -addext 'keyUsage=keyCertSign,cRLSign' -out ca_fake.pem
openssl req -x509 -new -subj '/CN=Real CA' -key ca_real.key -nodes -sha256 -days 3650 -addext 'basicConstraints=critical,CA:TRUE' -addext 'keyUsage=keyCertSign,cRLSign' -out ca_real.pem

openssl req -new -nodes -key imap.key -sha256 -out imap.csr -subj '/CN=imap.example.com'
cat <<\EOF >imap.ext
basicConstraints = critical, CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:imap.example.com
EOF
openssl x509 -req -CA ca_real.pem -CAkey ca_real.key -sha256 -days 365 -in imap.csr -extfile imap.ext -out imap.pem

openssl req -new -nodes -key smtp.key -sha256 -out smtp.csr -subj '/CN=smtp.example.com'
cat <<\EOF >smtp.ext
basicConstraints = critical, CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:smtp.example.com
EOF
openssl x509 -req -CA ca_real.pem -CAkey ca_real.key -sha256 -days 365 -in smtp.csr -extfile smtp.ext -out smtp.pem

# Dovecot Absolute Minimum Config

cd /etc/dovecot
mv dovecot.conf dovecot.conf.orig
cat <<\END_CONF >dovecot.conf
protocols = lmtp
listen = 192.168.61.214

service lmtp {
  inet_listener lmtp {
    address = 192.168.61.214
    port = 24
    ssl = yes
  }
}
ssl = required
ssl_cert = </etc/ssl/dovecot/imap.pem
ssl_key = </etc/ssl/dovecot/imap.key
ssl_client_ca_file = /etc/ssl/dovecot/ca_real.pem
ssl_client_cert = </etc/ssl/dovecot/imap.pem
ssl_client_key = </etc/ssl/dovecot/imap.key
ssl_require_crl = no
auth_ssl_require_client_cert = yes

# multi-level filters appear to be broken. Not a huge problem
# the MTA will never talk IMAP and MUAs will never talk LMTP
# but still annoying :((

remote 192.168.61.214/0 {
  #protocol lmtp {
    ssl_verify_client_cert = yes
    ssl_ca = </etc/ssl/dovecot/ca_fake.pem
  #}
}
remote 192.168.61.207 {
  #protocol lmtp {
    ssl_verify_client_cert = yes
    ssl_ca = </etc/ssl/dovecot/ca_real.pem
  #}
}
END_CONF

doveconf -n
# 2.3.20 (80a5ac675d): /etc/dovecot/dovecot.conf
# OS: Linux 5.4.162-1-pve x86_64  
# Hostname: dove.teletech.com.au
auth_ssl_require_client_cert = yes
listen = 192.168.61.214
protocols = lmtp
service lmtp {
  inet_listener lmtp {
    address = 192.168.61.214
    port = 24
    ssl = yes
  }
}
ssl = required
ssl_ca = </etc/ssl/dovecot/ca_fake.pem
ssl_cert = </etc/ssl/dovecot/imap.pem
ssl_client_ca_file = /etc/ssl/dovecot/ca_real.pem
ssl_client_cert = </etc/ssl/dovecot/imap.pem
ssl_client_key = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
ssl_require_crl = no
ssl_verify_client_cert = yes
ssl_ca = </etc/ssl/dovecot/ca_fake.pem
ssl_verify_client_cert = yes
remote 192.168.61.207 {
  ssl_ca = </etc/ssl/dovecot/ca_real.pem
  ssl_verify_client_cert = yes
}

doveconf -f remote=192.168.61.207 ssl_ca
  ssl_ca = </etc/ssl/dovecot/ca_real.pem
doveconf -f remote=192.168.61.208 ssl_ca
  ssl_ca = </etc/ssl/dovecot/ca_fake.pem

/usr/sbin/dovecot

=========================================================
On 192.168.61.207
copy accross //192.168.61.214/etc/ssl/dovecot/smtp.pem    to //192.168.61.207/tmp/smtp.pem
copy accross //192.168.61.214/etc/ssl/dovecot/smtp.key    to //192.168.61.207/tmp/smtp.key
copy accross //192.168.61.214/etc/ssl/dovecot/ca_real.pem to //192.168.61.207/tmp/ca_real.pem

ifconfig eth0
eth0      ...
          inet addr:192.168.61.207  Bcast:0.0.0.0  Mask:255.255.255.0
          ...

cd /tmp
openssl s_client -connect 192.168.61.214:24 -key smtp.key -cert smtp.pem -CAfile ca_real.pem

Acceptable client certificate CA names
CN = Fake CA  <<<<<<<<<<<<<<<<<<<<<<<< FATAL <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
=========================================================

More information about the dovecot mailing list